fix(install): detect TLS cert-trust failures during npm install on Windows#40588
Merged
Conversation
Port from anomalyco/opencode#30749. When compression.enabled is false, NO automatic compaction trigger may fire. The proactive token-threshold paths (preflight + post-response should_compress gate) already honoured the setting, but the three provider-overflow recovery paths in the agent loop — long-context-tier 429, 413 payload-too-large, and context-overflow — called _compress_context() unconditionally, silently compressing and rotating the session against the user's explicit choice. Add a single guard at the top of the overflow-recovery dispatch: when compression is disabled and the error is one of those three overflow classes, surface a terminal error (compaction_disabled: True) telling the user to /compress manually, /new, switch to a larger-context model, or reduce attachments. Manual /compress (force=True) is unaffected — it never enters this loop. Tests: new TestOverflowWithCompactionDisabled (413 + 400 overflow don't compress when disabled; control case still compresses when enabled). Existing overflow-recovery tests updated to enable compaction explicitly (they verify the recovery fires); fixture defaults flipped to True to match production (compression.enabled defaults to True).
…ndows Corporate MITM proxies and missing root CAs surface as 'unable to get local issuer certificate' while npm (most often Electron's install.js postinstall) downloads over HTTPS. The installer surfaced this as an opaque 'desktop workspace npm install failed (exit 1)', so users misread it as a permissions/admin-rights problem (issue #38016). Add a shared Show-NpmCertHint detector and route all three npm-install failure paths (agent-browser global install, browser-tools workspace, desktop workspace) through it. On a cert error it prints actionable NODE_EXTRA_CA_CERTS / strict-ssl remediation; on any other failure it stays silent.
Contributor
🔎 Lint report:
|
changman
pushed a commit
to changman/hermes-agent
that referenced
this pull request
Jun 10, 2026
…ndows (NousResearch#40588) * fix: respect disabled auto-compaction on context overflow Port from anomalyco/opencode#30749. When compression.enabled is false, NO automatic compaction trigger may fire. The proactive token-threshold paths (preflight + post-response should_compress gate) already honoured the setting, but the three provider-overflow recovery paths in the agent loop — long-context-tier 429, 413 payload-too-large, and context-overflow — called _compress_context() unconditionally, silently compressing and rotating the session against the user's explicit choice. Add a single guard at the top of the overflow-recovery dispatch: when compression is disabled and the error is one of those three overflow classes, surface a terminal error (compaction_disabled: True) telling the user to /compress manually, /new, switch to a larger-context model, or reduce attachments. Manual /compress (force=True) is unaffected — it never enters this loop. Tests: new TestOverflowWithCompactionDisabled (413 + 400 overflow don't compress when disabled; control case still compresses when enabled). Existing overflow-recovery tests updated to enable compaction explicitly (they verify the recovery fires); fixture defaults flipped to True to match production (compression.enabled defaults to True). * fix(install): detect TLS cert-trust failures during npm install on Windows Corporate MITM proxies and missing root CAs surface as 'unable to get local issuer certificate' while npm (most often Electron's install.js postinstall) downloads over HTTPS. The installer surfaced this as an opaque 'desktop workspace npm install failed (exit 1)', so users misread it as a permissions/admin-rights problem (issue NousResearch#38016). Add a shared Show-NpmCertHint detector and route all three npm-install failure paths (agent-browser global install, browser-tools workspace, desktop workspace) through it. On a cert error it prints actionable NODE_EXTRA_CA_CERTS / strict-ssl remediation; on any other failure it stays silent.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Windows installs that fail on a corporate proxy now tell the user it's a TLS certificate-trust problem and how to fix it, instead of an opaque
npm install failed (exit 1).Root cause for #38016: the desktop stage's
npm ciruns Electron'sinstall.js, which downloads the Electron binary over HTTPS. A corporate MITM proxy / missing root CA makes Node throwRequestError: unable to get local issuer certificate. The installer reported only the generic exit code, so the reporter misread it as an admin-rights issue. Admin rights were never the problem — the install reached the desktop stage fine.Changes
scripts/install.ps1: add sharedShow-NpmCertHinthelper that detects the TLS-trust signatures (unable to get local issuer certificate,self-signed certificate,UNABLE_TO_GET_ISSUER_CERT_LOCALLY,SELF_SIGNED_CERT_IN_CHAIN,CERT_HAS_EXPIRED) and printsNODE_EXTRA_CA_CERTS/strict-sslremediation.Install-AgentBrowser(globalnpm install -g)_Run-NpmInstall(browser-tools workspace)Install-Desktop(desktop workspace — the [Setup]: Hermes Desktop failed on Windows 11 without admin right #38016 repro; output isTee'd to a variable so the detector can scan it while still streaming live)Validation
Verified with real PowerShell 7.4.6 (
Parser::ParseFile+ behavior harness):TrueFalseFalseTee-Object -VariableFull script parses with zero errors.
Closes #38016.
Infographic